Maryland and Illinois just introduced bills to forbid employers from asking for candidate’s social media passwords.

While internet users are trying to figure out what information is being stored and how it’s used, governments are also struggling with how to regulate online data.

Pending Legislation

Maryland and Illinois just introduced bills to forbid employers from asking for candidate’s social media passwords. Some companies have started demanding usernames and passwords during interviews, so they can look behind the candidate’s privacy settings. Others are requiring that the applicant “friend” someone in the HR department for the same purpose.

Last year, both the House and Senate in Congress introduced Do Not Track legislation that would require online service providers, including mobile applications, to allow users to “simply and easily indicate whether the individual prefers to have personal information collected.” An exception is made for information required for the service to function. The law leaves it to the FCC to define “personal information” and how such a law would be implemented.

Another bill called the Do Not Track Kids Act of 2011 is also pending in the House. It adds extra protections for users under 18. All three bills are have been sitting in committees for about a year while various reports on economic impact and constitutionality are prepared.

The White House summarizes the principles of the Consumer Privacy Bill of Rights as:

− Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

− Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

− Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

− Security: Consumers have a right to secure and responsible handling of personal data.

− Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

− Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

− Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The President has recommended that legislation enacting the Consumer Bill of Rights be introduced into Congress, that Do Not Track legislation be passed, and that the laws be enforced by the FCC.

Opting Out or Opting In?

The UK and Europe generally have more stringent rules about collecting, keeping and disbursing data. The philosophy there is that consumers should be able to find out what data is being kept, get copies of it, and ask that some or everything be removed–the right to be forgotten. Consumers in Europe generally expect privacy unless they specifically opt in. At the beginning of 2012, revisions to the Data Protection Directive were proposed that unify a series of privacy laws into the Data Protection Regulation. The new law would also require US Companies to comply anytime they collect or store data about European citizens.

The US and its companies take the opposite view. The default is opt in, unless a consumer expressly opts out. There are currently no requirements that consumers be notified about how their information is being used.

This difference has been the trouble Google is having with it’s new privacy policy. The EU recently asked Google to answer specific questions about exactly what information is collected, how it is used across various services, and how it is stored.

In the meantime PC Magazine reports, Explorer, Chrome, Firefox and Safari are all experimenting with Do Not Track or Opt Out mechanisms.

The “Utah Data Center” is purportedly designed to intercept and collect every digital communication, including all emails, phone calls, messages, search history, tweets and every other digital record or communication sent over phones or the internet.

It is not clear from the article, or from my research, how the government would be able to legally collect, view, and use these records without a search warrant under the 4th Amendment of the US Constitution.

Here is further discussion of the legal issues involved with the government, rather than a private company, searches data. It is a federal case involving the government’s use of cell phone location data.

Enforcement of Privacy Rights Will Be Difficult

In Information Privacy 3, we discussed how attempts to sue websites like Facebook and Amazon under Federal laws didn’t work. Those laws require that users show actual economic losses due to the invasions of privacy. That is difficult to do, since using information about you does not necessarily mean you lose money.

Privacy laws involving defamation don’t require a showing of loss–only the invasion of the privacy right. So I wonder why the privacy statutes impose the additional requirement of economic damage.

The new Do Not Track Legislation and presumably any Consumer Privacy Bill of Rights will be enforced only by the FCC or a State Attorney General. At this point, there is no ability to bring a private lawsuit.

Even you could bring a lawsuit, technology is moving so fast, neither the legislatures nor the courts will be able to keep up with it. Civil lawsuits usually take a couple years. The Do Not Track legislation was introduced a year ago and is in no danger of being acted on anytime soon.

In two years, Apple has rolled out 3 versions of the ipad, several version of the iphone and Apple TV. Facebook doesn’t look or work the way it did 2 years ago. So almost the minute you bring a lawsuit, the technology will have changed making the issue moot.

Also, the way legislation works is that Congress introduces bills to address current issues and technology. If they make the language too broad, the law becomes unenforceable–either because it is unclear, or because it may infringe on other constitutional rights of speech or association. If they make it too specific, it will be outdated soon after it is introduced– either because the technology has already surpassed the problem, or the coders will start working on it as soon as the bill is published.

So expecting either the government or the courts to protect information privacy online is probably unrealistic and impractical.

What to Do.

Instead, I expect to see more lawsuits based on unfair or deceptive trade practices or breach of contract. The coders will always be faster than the lawyers drafting the End User License Agreements (EULA’s) and the Privacy Policies, so the problems Facebook has had will continue.

I also expect to see more enforcement under state rights of privacy. For example, California’s Constitutional right to privacy applies to government, companies and individuals. And, the determinations about what is private and what to do about it are more clearly defined.

I expect legal recognition a “digital likeness” just as we have property rights in our name and physical likeness. So when companies use information about our personal behavior for commercial purposes, a person can demand compensation. The tension will then become how to value the company’s use against the the consumer’s value of getting free products and services.

Legal tactics aside, I expect users to do less running naked in the digital wilds. Pay more attention to what you post, and to the information you volunteer to websites.

I don’t think either companies or the government are out to get anyone. I do believe that if the information is online, or even digital, it can be found by others. So to quote the Zappos Social Media policy: “Be real and use your best judgment.”